A new report out today from Zenity Labs, the research arm of agentic security company Zenity Ltd., details a family of vulnerabilities affecting agentic browsers, including Perplexity AI Inc.’s Comet browser, that can enable zero-click agent hijacking, local file exfiltration and even password vault takeover within authenticated sessions.

The vulnerabilities, dubbed “PleaseFix,” target a new class of AI-powered browsers that go beyond rendering webpages and instead interpret instructions and autonomously execute tasks across applications. According to Zenity’s researchers, the execution model introduces what they call an “agent trust failure” where untrusted content can influence an AI agent to take sensitive actions without the user’s awareness.

In Perplexity’s Comet browser, Zenity identified a subfamily of issues it calls “PerplexedBrowser.”

The first exploit path allows for zero-click compromise, where attacker-controlled content, such as a malicious calendar invitation, can trigger Comet to access the local file system and exfiltrate data while continuing to return expected results to the user. The second exploit path allows attackers to manipulate password manager interactions, including with 1Password Inc., to extract stored credentials or even achieve full account takeover by abusing agent-authorized workflows without directly exploiting a flaw in the password manager itself.

In various tests, the Zenity Labs researchers were able to demonstrate how Comet could be steered, via indirect prompt injection embedded in untrusted content, to operate inside an authenticated 1Password web session. Once inside, the agent could navigate vault entries, reveal stored usernames and passwords and exfiltrate them through ordinary web requests.

The researchers also successfully triggered an escalation scenario where the agent navigates to account settings, changes the master password to an attacker-controlled value and extracts recovery material such as the account email address and Secret Key. The risk is serious because 1Password functions as a control plane for many users’ digital identities, such an account takeover could enable rapid downstream compromise of other services.

Zenity did responsibly disclose the vulnerabilities and the findings to both Perplexity and 1Password before publication.

Perplexity addressed the underlying browser-side execution issue and introduced additional mitigations, including stricter user confirmation for sensitive actions and enterprise controls that allow administrators to disable the agent on designated sites. 1Password acknowledged the ecosystem-level risk and introduced new hardening options, including disabling automatic sign-in and requiring explicit confirmation before autofilling credentials.

Though the specific vulnerabilities may be patched, Zenity argues that security issues with AI browsers and agentic systems remain ongoing.

“This is not a bug. It is an inherent vulnerability in agentic systems,” said Michael Bargury, co-founder and chief technology officer. “Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted. This is an agent trust failure that exposes data, credentials and workflows in ways existing security controls were never designed to see.”

Image: SiliconANGLE/Ideogram